From cc17225d10154565a82de709fab8465931b876b0 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Thu, 21 May 2026 16:50:41 -0700 Subject: [PATCH] QuickJS: fixed Buffer.toJSON() data ownership The property definition consumes ownership, so freeing the result object is enough on later error paths. Returned JS_EXCEPTION on property-definition failures instead of the unrelated typed-array lookup result. --- src/qjs_buffer.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/qjs_buffer.c b/src/qjs_buffer.c index 90515f74..aa597764 100644 --- a/src/qjs_buffer.c +++ b/src/qjs_buffer.c @@ -1347,22 +1347,20 @@ qjs_buffer_prototype_to_json(JSContext *ctx, JSValueConst this_val, int argc, if (rc == -1) { JS_FreeValue(ctx, obj); JS_FreeValue(ctx, data); - return ret; + return JS_EXCEPTION; } rc = JS_DefinePropertyValueStr(ctx, obj, "data", data, JS_PROP_ENUMERABLE); if (rc == -1) { JS_FreeValue(ctx, obj); - JS_FreeValue(ctx, data); - return ret; + return JS_EXCEPTION; } for (i = 0; i < src.length; i++) { rc = JS_SetPropertyUint32(ctx, data, i, JS_NewInt32(ctx, src.start[i])); if (rc == -1) { JS_FreeValue(ctx, obj); - JS_FreeValue(ctx, data); - return ret; + return JS_EXCEPTION; } } -- 2.47.3